ConfigServer Community Forum

Hi guys

I'm using csf v10.05 to block brute force attempts and it's working well but with one minor issue:

It's also blocking genuine access to the websites.

I'm using the CC_DENY = country codes here and I was mistakenly under the impression it would ONLY block WHM or root level access through SSH.

Is there a better solution to what I am doing...? Could I for example whitelist my country and...

Hi,
I been running my server without any issues for over a year now.
Starting a couple days ago I started receiving this: Excessive resource usage: rpcuser every hour out of no where.
I understand I can add this to the ignore list but I just wanted to see if anybody knows if this is some kind of hacking attempt or if the server may be compromised in any way.

Thanks for any help.

Hello

Im using OpenLitespeed (last version) with CentOS7.
I'd like to block offending IPs but sound like that, following this im unable to do that.

I've configured OpenLitespeed to put logs in the form of vhost1.access.log vshost2.access.log in /usr/local/lsws/logs/vhosts/

Here's an example

444.444.444.155 - - GET /xmlrpc.php HTTP/1.1 404 655 - Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)...

Hello all.

I have a fully dedicated VPS with GoDaddy. The only thing they manage is the physical server the VPS resides on and ensure that my VPS is up...I am 100% responsible for all configurations, maintenance etc. I downloaded CSF and installed it and then ran the ./csftest.pl script to see what its doing, I get the following:

# ./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing...

In my log file I have seen someone to brute a lot of vulns, there are over 256 entries, but they only try twice for each attack, then try another vuln.

However the string of
x=upload&mode=upload&upload=&ssp=RfVbHu&u=&action=upload&chdir=./&do=upload&pass=wcwc2016&login=go%21&H=
is always present.

GET...

Hi,

How to allow ossec agent to communicate? Which place do need to allow udp port in csf?

Thanks./

Since I re-installed CSF on my new server I get continual emails every few minutes.

They are about blocking access to IP's, port scanning, etc.

How can I stop them from sending emails every few minutes?

Thanks,

Greetings,

How to block IP with authentication failure to Samba service just like or similar to SSH service.

Thanks,

Hi,
I really like the CSF tool but am getting lots of alerts for suspicious process and excessive resource usage . These are for processes I know about and am ok with the resource usage.
I've got them filtered to go into a special mail folder, but the constant alerting obscures when I get an email I want to read. Similarly, I'll never know if I really DO have something problematic because the...

Hello,

I'm trying to create custom regex in CSF to block failed logins for SoftEther VPN .

Here is part of the log file :

2017-04-03 18:22:28.210 OpenVPN Session 124 (55.55.55.55:49490 -> 192.168.0.19:1194) Channel 0: Failed to connect a channel.
2017-04-03 18:22:28.246 Connection CID-114 terminated by the cause User authentication failed. (code 9).
2017-04-03 18:22:28.246 Connection CID-114...

Hi there,

I have tried using different paths and regular expressions pointing to the executable that is causing me constant excessive resource emails but I can't seem to find the right one. I am currently getting that the executable is the following:

Executable: /opt/cpanel/ea-php56/root/usr/bin/lsphp.cagefs

I tried doing

pexe:/opt/cpanel/ea-*/root/usr/bin/lsphp...

I'm recently not getting the end of the daily log scanner reports as it's being truncated to some maximum number of lines setting.

Is there a way to either increase the maximum number of lines - or choose to exclude some sections entirely?

My report is dominated by firewall block events - which I guess I'm not really that interested in as they were successfully blocked.

TY!

Had this message in the rkhunter log this morning for the first time.

Is it a worry?

TY!

what can i do ? i have changed all account passwords but somwthing continue to create this process.
This is a joomla website (updated) . I need exploit scanner?

Time: Thu Mar 31 16:03:56 2016 +0200
PID: 11550 (Parent PID:9249)
Account: archeage
Uptime: 97 seconds

Executable:

/opt/cpanel/ea-php55/root/usr/bin/php-cgi

Command Line (often faked in exploits):...

Hi,

Is is possible to configure Configserver to block IPs which are hammer a site's wordpress wp-login ?

I'm getting loads across different sites on the same server and would like to block at server level.

I already have all wp-admin pages blocked by http auth but robots are still hammering at wp-login, which creates load on server.

Thanks.

Tom.

Hello!

Since the last week my CSF install stops in the morning. I cannot find why and it does not restart by itself. I run start manually and runs all day without problem.

In the Logs i see this:

Nov 27 03:25:20 emma lfd : iptables appears to have been flushed - running *csf startup*...
Nov 27 03:25:25 emma lfd : csf startup completed
Nov 27 03:25:25 emma lfd : *Error* csf reported an error...

For the last week or so a server has had a very high load. The server has 4G of RAM and only has 6 websites on it and they are very low usage. When viewing the top processes LFD is always the top process and throughout the day, I get email notices from the server that it is out of memory and has killed and restarted lfd. Here is the top process on the server currently showing it using 60% of...

Hi,

This has started happening since 10.04 as far as we can tell. We'll reload CSF (csf -r) and all is good, 5 minute later the v6 rules have gone. We have some rules:

tcp|out|d=1234|d=host.example.org

Where host.example.org has a single v4 and single v6 address.

The v4 rules get created, the v6 rules are created, but then when the dyndns timer expires and the rules should be re-created, they...

What file do I edit to whitelist or safely ignore the lfd alert for wp-cron.php?

• csf.ignore
• csf.pignore
• maybe a different one?

I edit /etc/csf/csf.pignore and put this inside of it:

exe:/home/userXYZ/public_html/wp-cron.php

I even restart CSF from SSH PuTTY and WHM control panel

Why do I still receive email from LFD service?

Executable:

/usr/selector/php

Command Line (often...

Good morning,

I'm looking to whitelist process ONLY when it have specific command line
Is that possible?

Thanks,

Ed